AIARCOASC Docs

ZTNA

Zero-trust network access: per-app SSO, device-posture, mTLS, no VPN required.

What it is

ZTNA replaces the VPN model. Each user/device gets per-app authorisation: a request must match the user's group, the device's posture, and the app's policy. Sessions terminate at the edge and the origin only sees authenticated, decrypted traffic over mTLS.

When to use it

  • Replace VPN for remote workforce.
  • Publish internal apps with no public IP.
  • Enforce posture (OS version, disk encryption) before granting access.

Quickstart

asc shield ztna apps create wiki --domain wiki.example.com --policy 'group:eng and device.posture.encrypted'
client.shield.ztna.apps.create(name='wiki', domain='wiki.example.com', policy='group:eng')
await client.shield.ztna.apps.create({ name: 'wiki', domain: 'wiki.example.com', policy: 'group:eng' });

Limits & quotas

LimitDefaultBurstNotes
Per user-seat$7 / user-mo
Identity providersOIDC / SAML 2.0

Pricing

See pricing. Pay-as-you-go, billed monthly via Stripe.

API surface

  • POST /v1/shield/ztna/apps

Required scope(s): shield:write. See Scopes.

Security

All access is authenticated and scoped. See Auth & scopes and Network controls.